Enterprises often perform audits to check whether firewall rules adhere to security policies. This is a labor-intensive and time-consuming manual process that involves scanning logs to identify security breaches or mis-configured rules. Auditing typically occurs after an actual security breach and increases the remediation time. Security policy enforcement is a continuous process that requires refining rules to meet changing network configurations without violating existing policies.
Nowadays, enterprises use firewalls extensively to protect them from malicious attacks. Firewalls have become a ubiquitous device across different network segments to fend off both insider and outsider threats as well as to enforce secure network access policy. For example, in a typical enterprise environment, there can be multiple virtual local area networks (VLANs) providing network segregation with defined access levels within these segments as well as remote access over the public Internet for virtual private network (VPN) and mobile users. These requirements increase the number of policies implemented in the firewall. To satisfy a security policy requirement, security administrators often need to configure one or more firewall rules. As the number of policies increases, configuring the firewall rules can become a complex task. Market research has indicated that majority of firewall breaches result from firewall mis-configurations.
Firewall-rule management becomes even more critically important as more desktops and servers become virtualized. Auditing these rules at regular intervals adds another dimension of trust to network security. Audits are also performed to satisfy compliance to legal requirements such as Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA). Auditing typically involves manually analyzing all the firewall rules to check whether they satisfy the predefined security policy. To secure a network, a continuous auditing process might be necessary, because a rule may be sufficient to implement a policy today but newer threats or exploits in the future would require more rules to implement the same policy. In addition to the auditing process, administrators need to analyze frequently network access logs to identify anomalous behavior for breached access control policies and security threats. Access logs provide valuable information on a security compromise. Searching the log file for anomalies using tools or manually will be feasible only if the compromised security incident has left a sufficiently long trail. Nevertheless, this manual auditing process is not always reliable and remains prone to human errors.